The bill's seven privacy protection principles, e.g., providing notice to and obtaining the consent of data subjects for use of their data (under the “notice” and “disclosure” principles), are reportedly modeled on those established by the Asia-Pacific Economic Cooperation (APEC) (Malaysia is a member) and the European Union Data Protection Directive (95/46/EC), and the legislation shares certain features of the data protection laws of a number of EU Member States. (Id.; APEC SECRETARIAT, APEC PRIVACY FRAMEWORK (2005), Australian Government Attorney General's Department website, available athttp://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(03995EABC73F94816C2AF4AA2645824B)~APEC+Privacy+Framework.pdf/$file/APEC+Privacy+Framework.pdf; Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, European Commission Justice and Home Affairs website, http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm (last visited Apr. 13, 2010) .)

The bill includes provisions that require registration of data users, allow for data-user forums and their preparation of codes of practice, set forth the rights of data subjects, regulate direct marketing and personal data transfers outside Malaysia, set up a Personal Data Protection Fund, and establish an Office of the Data Protection Commissioner (ODPC). The ODPC will have limited powers of investigation and enforcement; among other duties, the ODPC will be responsible for monitoring credit reference agencies' activities. The bill also provides for a Personal Data Protection Advisory Committee and an Appeal Tribunal. Inspection, complaint, and investigation procedures, as well as enforcement measures, are also outlined in the legislation. (Aplin & Purnell, supra; Personal Data Protection Bill 2009, Parliament of Malaysia website, http://www.parlimen.gov.my/billindexbi/pdf/DR352009E.pdf (last visited Apr. 13, 2010).)

According to Information Communication and Culture Minister Datuk Seri Dr Rais Yatim, the permissible time frame for retention of personal data will be determined once the legislation is implemented. (Personal Data Protection Bill Passed, THE MALAYSIAN INSIDER, Apr. 5, 2010, available athttp://www.themalaysianinsider.com/index.php/malaysia/58789-personal-data-protection-bill-passed.) Rais stressed that the bill had no compensatory provisions for unauthorized use of personal data, but “[c]omplainants can institute civil action for remedy if personal data is abused for commercial transactions.” (Id.) He added that upon the law's entry into force, credit reference agencies would have to apply to the ODPC before being allowed to retain in their databases any personal data on individuals. (Id.)